Re: [squid-users] Reverse proxy with LDAP authentication

Tue, 30 Sep 2008 17:42:33 -0700 

Andrew Struiksma wrote:

At the top of the config after "http_port 80" add these:

   acl port80 myport 80
   deny_info https://site.company.org port80
   http_access deny port80

That will cause squid itself to send a 3xx moved fake 'error'
message to all port 80 requests. The users browser will then
automatically re-connect to port 443 before being asked to login.

NP: for anyone else trying to copy this: it only works on one
domain name at a time. Needs adjustment for virtual-hosted setups.


Can I add in an ACL to permit users from certain IP ranges

to access the site with having to authenticate to LDAP? I'm
thinking about sending all users through Squid but I don't
want to force users on our LAN to have to authenticate.
Yes. Just chain the acl names properly. An http_access allow
line before one that requires auth should do it.



Thanks for your help! This is my new config that seems to be working fine:

---------------------
http_port 80 defaultsite=mysite.company.org
https_port 443 cert=/etc/ssl/certs/company.cert key=/etc/ssl/certs/company.key 
defaultsite=mysite.company.org

#redirects all http traffic to https
acl port80 myport 80
deny_info https://mysite.company.org port80
http_access deny port80

cache_peer mysite.company.org parent 443 0 no-query originserver ssl 
sslflags=DONT_VERIFY_PEER name=myAccel
acl our_sites dstdomain mysite.company.org
acl all src 0.0.0.0/0.0.0.0

auth_param basic program /usr/lib/squid/ldap_auth -R -b "dc=company,dc=org" -D 
"cn=squid_user,cn=Users,dc=company,dc=org" -w "password" -f sAMAccountName=%s -h 
192.168.1.2
auth_param basic children 2
auth_param basic realm Our Website
auth_param basic credentialsttl 2 hours

#these networks can access mysite without authenticating
acl trusted_nets src 10.2.1.0/24
acl trusted_nets src 192.168.1.0/24

acl ldap_users proxy_auth REQUIRED

http_access allow trusted_nets our_sites
http_access allow ldap_users our_sites

cache_peer_access myAccel allow our_sites
cache_peer_access myAccel deny all

never_direct allow our_sites
---------------------

You mentioned supporting multiple hosts. Is it relatively easy for a squid 
reverse proxy to provide access to several internal servers (I.e. 
mysite.company.org, mysite2.company.org, etc)?



Yes. very.

Just add 'vhost' option to http_port.
And list each domain in the our_sites ACL.
For multiple internal web servers, a peer line is needed for each. With a small re-arrangement of ACL to route domains to the right one(s). 

Amos
--
Please use Squid 2.7.STABLE4 or 3.0.STABLE9

Reply via email to